1. Field of the Invention
The present invention relates to the management of information handling systems. More specifically, embodiments of the invention provide a system, method, and computer-readable medium for using an entryless One-Time Password (OTP) in an active tag environment.
2. Description of the Related Art
As the value and use of information continues to increase, individuals and businesses seek additional ways to process and store information. One option available to users is information handling systems. An information handling system generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes thereby allowing users to take advantage of the value of the information. Because technology and information handling needs and requirements vary between different users or applications, information handling systems may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated. The variations in information handling systems allow for information handling systems to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, or global communications. In addition, information handling systems may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems.
Information handling systems have made life easier for businesses and individuals by making information readily available. For example, end users access business accounts to transact all sorts of business at all hours of the day. On-line bank accounts provide individuals with access to finances for transferring funds and paying bills from home, from the office or from wireless hotspots located throughout the world. Employees have access to work files through Internet connections to enterprise servers to allow work from home or virtually any location having an Internet connection. In many instances, information sent through the Internet is highly sensitive. Often, a substantial risk exists if such sensitive information gets into the wrong hands. For example, an individual can have unauthorized withdrawals from compromised accounts and enterprises face liability to customers who are injured by illicit use of sensitive information. Generally, access to sensitive information is protected with passwords and encryption, however, passwords sometimes fall into the wrong hands and no encryption method is foolproof.
In order to provide improved security, enterprises are increasingly turning to a multi-factor authentication solution for employee and customer access to sensitive information, such as remote banking, or remote access of any kind One example of multi-factor authentication is the use of a One-Time Password (OTP), in conjunction with a traditional password, to authorize access to sensitive information. OTPs are typically generated by algorithms running on dedicated hardware devices, such as a key fob that generates and displays an OTP valid for a single use. One problem with OTPs is that the use of dedicated hardware devices increases the expense and complexity of implementing an OTP verification system. For example, losing or misplacing a dedicated hardware device means that an end user cannot access information until the device is replaced and the account is reset. One solution for implementing OTP without a dedicated device is to run the OTP algorithm in application embedded in an information handling system. Such embedded systems typically present the OTP through a display or a software interface through an operating system's application layer.
However, communication of the OTP through an operating system or application layer makes the OTP vulnerable to exploitation, such as by hackers who have gained access to an information handling system through a malicious program running on the information handling system. Additionally, OTP tokens are inherently, susceptible to time-of-use and time-of-check attacks due to being independently generated by a common algorithm. Other multi-factor approaches include the implementation of Near Field Communication (NFC) authentication, which has the potential to simplify the user logon experience for end user consumers and users controlled by domains. However, the security of NFC is potentially vulnerable due to its support of smart connected, smart disconnected, and “dumb” NFC cards. Furthermore, current NFC approaches lack support for third party authorities, such as a Public Key Infrastructure (PKI), that can vouch for authenticity and provide revocation when necessary.